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Amendmgflftf tp the risriiiM 

Claim 1 (canceled) 

1 Claim 2 (currently amended): The computer program product according to Claim [[1]] 3&, 

2 wherein [[the]] strong cryptographic techniques 3£g used for the first security association and the 

3 second security association and are provided by protocols known as Internet Key Exchange and 

4 IP (Internet Protocol) Security Protocol- 
Claims 3-4 (canceled) 

1 Claim 5 (currently amended): The computer program product according to Claim [[!]] 38, 

2 wherein the computer-readable program code means for providing secu r e communica t i o ns 

3 fiftpiipflY ffgpdpp and ftfi computer-readable program code means for securely receiving further 

4 rn in piw* tjHi i jm t t^^ i ftjidjihlft program code means far establ i shin g comprise use of a secure 

5 channel established between the security enforcement function and the access control function. 

1 Claim 6 (currently amended): The computer p ro g ram product according to Claim [[1]) 2&> 

2 wherein the first security association specifies only coarse-grained access control information. 

1 Claim 7 (currently amended): The computer program product according to Claim [[1]] 2& 

2 wherein the first authenticated identity associated with the first [[host]] end device is an 

3 identification of a user of the first [[host]] end device . 
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1 Claim 8 (currently amended): The computer program product according to Claim [[1 ]] M> 

2 wherein the first authenticated identity associated with the first [[host]] enddevire is an 

3 identification of an application executing on the first [[host]] end device . 

1 Claim 9 (currently amended): The computer program product according to Claim [[1 ]] 18, 

2 wherein the second security association specifies only coarse-grained access control information. 

1 Claim 1 0 (currently amended): The computer program product according to Claim [[1]] 3& 

2 wherein the second authenticated identity associated with the second [[host]] end device is an 

3 identification of a user of the second [[host]] end device . 

1 Claim 1 1 (currently amended): The computer program product according to Claim [[1]] 38, 

2 wherein the second authenticated identity associated with the second [[host]] end deryjc.fi is an 

3 identification of an application executing on the second [[host]] end device. 

Claim 12 (canceled) 

1 Claim 1 3 (currently amended): The system according to Claim [[12]] 41, wherein [[the]] strong 

2 cryptographic techniques are used for the first security association and the second security 

3 association and are provided by protocols known as Internet Key Exchange and IP (Internet 

4 Protocol) Security Protocol, 
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Claims 14-15 (canceled) 

1 Claim 16 (currently amended): The system according to Claim [[12]] 4L wherein the security 

2 uifuiccmcflt function op er a t es m t h e b o undary d e vice, and w herein the means for securely 

3 sending and the means for securel y p^ivinp p mv ^ t1 F" se cure communica t i o ns further com pr ises 

4 means f or e stablishi ng com prise use of a secure channel established between the security 

5 enforcement function and the access control function. 

1 Claim 1 7 (currently amended): The system according to Claim [[12]] 4L wherein the security 

2 enforcement function also operates in the first [[host]] end device and in the second [[host]] and 

3 Hgvjrgj and wlmrmin the, mean* far jj i ovidrng secure communications further comprising: 

4 comprises 

5 means for e stablishing secure channels sexmisl^cg ^^^eatinpr between the security 

6 enforcement function in the first end device and the access control Amotion to determine whether 

7 the first end device can send a particular data packet to the second end device: and 

8 means for securely commum^ ?*fafl fret ween the security en foreerqe nt function in the 

9 [[and]] second [[hosts]] end device and the access control function to determine whether the 
10 second end device caBLreceive the particular data packet from the first end device . 

1 Claim 18 (currently amended): The system according to Claim [[12]] 4L wherein the first 

2 authenticated identity associated with the first [[host]] end device is an identification of a user of 
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3 the first [[host]] g gd device and/or an application executing on the first [[host]] end dgflce. 

1 Claim 19 (currently amended): The system according to Claim [[12]] 4L wherein the second 

2 authenticated identity associated with the second [[host]] end device is an identification of a user 

3 of the second [[host]] end device and/or an application executing on the second [[host]] end 

4 device . 

Claim 20 (canceled) 

1 Claim 21 (currently amended): Hie method according to Claim [[20]] 44, wherein [[the]] strong 

2 cryptographic techniques are used for the first security association and the second security 

3 association asd are provided by protocols known as Internet Key Exchange and IP (Internet 

4 Protocol) Security Protocol. 

Claims 22 - 23 (canceled) 

1 Claim 24 (currently amended): The method according to Claim [[20]] 44, wherein t he securi ty 

2 enforcement ft m et i o n o pe r ates in th e boundary device, and wherein the securely sending step and 

3 the securely receiving step of p i ovidin g . secure conimunicjlium further comprise s the ste p of 

4 es t ablishin g comprise use of a secure channel established between the security enforcement 

5 function and the access control function. 
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1 Claim 25 (currently amended): Hie method according to Claim [[201] 44, wherein the security 

2 enforcement function also operates in the first [[host]] end device and in the second [[host]] rad 

3 device, and wherein t he step o f pr o viding se c ur e communications further comprising tfae steps of: 

4 securely cA irnn^carinp; mmp r iam the step of establishing secure channels between the 

5 security enforcement function in the first end device and the access control function to determine 

6 whether the first end device can send a particular data pac ket to the second end deyicei_and 

7 securely com ^mi^fffr between the s ecurity enforcement function in the [[and]] second 

8 [[hosts]] end device and the access control function to determine whether th e second end device 

9 can receive the particular data packet from the first end device . 

1 Claim 26 (currently amended): The method according to Claim [[20]] 44, wherein the first 

2 authenticated identity associated with the first [[host]] end device is an identification of a user of 

3 the first [[host]] end device and/or an application executing on the first [[host]] eqd device. 

1 Claim 27 (currently amended): The method according to Claim [[20]] 44> wherein the second 

2 authenticated identity associated with the second [[host]] end device is an identification of a user 

3 of the second [[host]] end device and/or an application executing on the second [[host]] aid 

4 device . 

Claim 28 (canceled) 

1 Claim 29 (currently amended): The method according to Claim [[28]] 47, wherein [[the]] strong 
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2 cryptographic techniques §j§ used for the first security association and the second security 

3 association and 316 provided by protocols known as Internet Key Exchange and IP (Internet 

4 Protocol) Security Protocol 

Claims 30 - 32 (canceled) 

1 Claim 33 (currently amended): The method according to Claim [[28]] 47, wherein: 

2 the step of securely sendi n g and the step of securely receiving provi ding secure 

3 communications b et ween fee first securi t y enf o rcement f uncti o n and the acct&s contr o l f uncti o n 

4 each further comprise c o mprise s the step of using establish i ng a first secure channel established 

5 between the first security enforcement function and the access control function when the data 

6 packet has reached the first boundary device or using rand 

7 t he st ep of p ro viding s c cme communications between the second securi t y enforcement 

8 functi o n and the access con tro l functi o n farther c o m p rises the step of establishing a second 

9 secure channel established between the second security enforcement function and the access 
1 0 control function when the data packet has readied the second boundary device , 

1 Claim 34 (currently amended): The method according to Claim [[28]] 4Z wherein the first 

2 authenticated identity associated with the first [[host]] end device is an identification of a user of 

3 the first [[host]] end device and/or an application executing on the first [[host]] end device. 

1 Claim 35 (currently amended): The method according to Claim [[28]] 42» wherein, the second 
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2 authenticated identity associated with the second [[host]] end device is an identification of a user 

3 of the second [[host]] end device and/or an application executing on the second [[host]] gal 

4 device . 

1 Claim 36 (previously presented): A method for providing fine-grained, identity-based access 

2 control in a computer networking environment, comprising steps of: 

3 establishing a mtftuajly-authenticated connection between a first end device and a second 

4 end device using strong cryptographic techniques, wherein the mutually-authenticated connection 

5 comprises a first mutually-authenticated network segment between the first end device and a 

6 boundary device providing network-layer protection and a second mutually-authenticated 

7 network segment between the second end device and the boundary device; 

8 extracting a first authenticated identity associated with the first end device and a second 

9 authenticated identity associated with the second end device during the step of establishing the 

1 0 mutually-authenticated connection; 

1 1 providing secure communications between a security enforcement function operating in 

12 the boundary device and an access control functions 

1 3 providing the extracted first and second authenticated identities, by the security 

1 4 enforcement function, to the access control function; 

1 5 determining access privileges of the first end device and the second end device, by the 

1 6 access control function, based upon the provided extracted identities; 

1 7 securely communicating packet-handling directives from die access control function to 

18 the security enforcement function, based upon the determined access privileges; and 
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19 using the packet-handling directives, by the security enforcement function, to determine 

20 whether to forward packets sent by the first end device on the first network segment to the 

21 second end device on the second network segment 

Claim 37 (canceled) 



1 Claim 38 (new): A computer program product for providing fine-grained, identity-based access 

2 control in a computer networking environment, the computer program product embodied on one 

3 or more computer-readable media and comprising: 

4 computer-readable program code means for storing, for a security enforcement function 

5 operating in a network-layer boundary device, a first authenticated identity associated with a first 

6 end device with which the boundary device has established a first mutually-authenticated 

7 network-layer security association; 

8 computer-readable program code means for storing, for the security enforcement 

9 fiinction, a second authenticated identity associated with a second end device with which the 

1 0 boundary device has established a second mutually-authenticated network-layer security 

11 association; and 

1 2 computer-readable program code means for using the first authenticated identity and the 

1 3 second authenticated identity to determine whether a data packet traveling between the first end 

1 4 device and the second end device over the first security association and the second security 

1 5 association is to be forwarded or discarded upon reaching the boundary device, further 

16 comprising: 
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1 7 computer-readable program code means for securely sending the first 

1 8 authenticated identity and the second authenticated identity from the security enforcement 

1 9 function to an access control function, responsive to the data packet reaching the boundary 
2 0 device, such that the access control function can use the securely-sent identities to obtain 
2 1 corresponding access privileges and generate packet-handling directives based thereupon; 

2 2 computer-readable program code means for securely receiving, by the security 

2 3 enforcement function, the packet-handling directives from the access control function; and 
2 4 computer-readable program code means, operable at the security enforcement 

2 5 function, for either forwarding or discarding the data packet, depending on the received packet- 

26 handling directives. 



1 Claim 39 (new): The computer pr ogr am product according to CJaim 38, wherein the computer- 

2 leadable program code means for using further comprises computer-readable program code 

3 means for examining the data packet to determine the first and second authenticated identities, 

4 responsive to the data packet reaching the boundary device and prior to operation of the 

5 computer-readable program code means for securely sending. 

1 Claim 40 (new): The computer program product according to Claim 38, wherein the first 

2 authenticated identity is obtained for the security enforcement function from the first end device 

3 when the boundary device and the first end device establish the first security association and the 

4 second authenticated identity is obtained for the security enforcement function from the second 

5 end device when the boundary device and the second end device establish the second security 
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6 association. 

1 Claim 41 (new): A system for providing fine-grained, identity-based access control in a 

2 computer networking environment, comprising: 

3 means for storing, for a security enforcement function operating in a network-layer 

4 boundary device, a first authenticated identity associated with a first end device with which the 

5 boundary device has established a first mutually-authenticated network-layer security association; 

6 means for storing, for the security enforcement function, a second authenticated identity 

7 associated with a second end device with which the boundary device has established a second 

8 mutually-authenticated network-layer security association; and 

9 means for using the first authenticated identity and the second authenticated identity to 

10 determine whether a data packet traveling between the first end device and the second end device 

11 over the first security association and the second security association is to be forwarded or 

1 2 discarded upon reaching the boundary device, further comprising: 

1 3 means for securely sending the first authenticated identity and the second 

14 authenticated identity from the security enforcement function to an access control function, 

1 5 responsive to the data packet reaching the boundary device, such that the access control function 

1 6 can use the securely-sent identities to obtain corresponding access privileges and generate 

1 7 packet-handling directives based thereupon; 

1 8 means for securely receiving, by the security enforcement function, the packet- 

1 9 handling directives from the access control function; and 

2 0 means, operable at the security enforcement fraction, for either forwarding or 
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2 1 discarding the data packet, depending on the received packet-handling directives. 

1 Claim42(new): The system according to Claim 4 1 , wherein the means for using further 

2 comprises means for examining the data packet to determine the first and second authenticated 

3 identities, responsive to the data packet reaching the boundary device and prior to operation of 

4 the means for securely sending. 

1 Claim 43 (new): The system according to Claim 41, wherein the first authenticated identity is 

2 obtained for the security enforcement function from the first end device when the boundary 

3 device and the first end device establish the first security association and the second 

4 authenticated identity is obtained for the security enforcement function from the second end 

5 device when the boundary device and the second end device establish the second security 

6 association. 

1 Claim 44 (new): A method for providing fine-grained, identity-based access control in a 

2 computer networking environment, comprising steps of: 

3 storing, for a security enforcement function operating in a network-layer boundary device, 

4 a first authenticated identity associated with a first end device with which the boundary device 

5 has established a first mutiny-authenticated network-layer security association; 

6 storing, for the security enforcement function, a second authenticated identity associated 

7 with a second end device with which the boundary device has established a second mutually- 

8 authenticated network-layer security association; and 
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9 using the first authenticated identity and the second authenticated identity to determine 

10 whether a data packet traveling between the first end device and the second end device over the 

1 1 first security association and the second security association is to be forwarded or discarded upon 

12 reaching the boundary device, further comprising steps of: 

1 3 securely sending the first authenticated identity and the second authenticated 

1 4 identity from the security enforcement function to an access control function, responsive to the 

1 5 data packet reaching the boundary device, such that the access control function can use the 

1 6 securely-sent identities to obtain corresponding access privileges and generate packet-handling 

1 7 directives based thereupon; 

1 8 securely receiving, by the security enforcement function, the packet-handling 

1 9 directives from the access control function; and 

2 0 either forwarding or discarding the data packet, at the security enforcement 

2 1 function, depending on the received packet-handling directives. 

1 Claim 45 (new): The method according to Claim 44, wherein the using step further comprises 

2 the step of examining the data packet to determine the first and second authenticated identities, 

3 responsive to the data packet reaching the boundary device and prior to operation of the securely 

4 sending step. 

1 Claim 46 (new): The method according to Claim 44, wherein the first authenticated identity is 

2 obtained for the security enforcement function from the first end device when the boundary 

3 device and the first end device establish the first security association and the second 
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4 authenticated identity is obtained for the security enforcement function from the second end 

5 device when the boundary device and the second end device establish the second security 

6 association. 

1 Claim 47 (new): A method for providing fine-grained, identity-based access control in a 

2 computer networking environment, comprising steps of: 

3 storing, for a first security enforcement function operating in a first network-layer 

4 boundaxy device, a first authenticated identity associated with a first end device with which the 

5 first boundary device has established a first mutually-authenticated network-layer security 

6 association; 

7 storing, for a second security enforcement function operating in a second network-layer 

8 boundary device, a second authenticated identity associated with a second end device with which 

9 the second boundary device has established a second mutually-authenticated network-layer 

1 0 security association; 

1 1 establishing a third mutually-authenticated security association between the first boundary 

1 2 device and the second boundary device; and 

13 using the first authenticated identity and the second authenticated identity to determine 

1 4 whether a data packet traveling between the first end device and the second end device over the 

15 first security association, the third security association, and the second security association is to 

16 be forwarded or discarded upon reaching either of the boundary devices, further comprising steps 

17 of: 

18 securely sending the first authenticated identity and the second authenticated 
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1 9 identity from the first security enforcement function to an access control function, responsive to 

2 0 the data packet reaching the first boundary device, or from the second security enforcement 

2 1 function to the access control function* responsive to the data packet reaching the second 

22 boundary device, such that the access control function can use the securely-sent identities to 

2 3 obtain corresponding access privileges and generate packet-handling directives based thereupon; 

2 4 securely receiving, by the first security enforcement function when the 

2 5 authenticated identities are sent therefrom, or by the second security enforcement function when 

26 the authenticated identities are sent therefrom, the packet-handling directives from the access 

27 control function; and 

2 8 either forwarding or discarding the data packet, at the security enforcement 

2 9 function receiving the packet-handling directives, depending on the received packet-handling 

30 directives. 
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